Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Q & A

 

Q&A: How to prepare for Spectre, Meltdown exploits — and next-gen ‘microcode’ attacks

By Byron V. Acohido

If you think the cyber threat landscape today is nasty, just wait until the battle front drops to the processor chip level.

Related artilce: A primer on microcode vulnerabilities

It’s coming, just around the corner. The disclosure in early January of Spectre and Meltdown, critical vulnerabilities that exist in just about all modern computer processing chips, introduced virgin territory for well-funded, highly motivated criminal hackers. And this is where the front lines will inevitably shift — to a much deeper level of the digital systems we take for granted.

Spectre and Meltdown are the first examples of a new class of flaws so deep and so profound that they really can’t be fixed until the next generation of chips gets here. That suggests that well-financed, highly motivated criminal hacking rings have years, if not a decade or more, ahead of them to take full advantage.

We are in this predicament because the chipmakers, led by Intel, AMD and ARM, aided and abetted by the operating system suppliers, Microsoft, Apple and Linux, made a decision in 1995 to toss security in the back seat as they embarked, hell bent, on a race to build and leverage faster and faster Central Processing Units, or CPUs.

The chipmakers came up with a technique, called “speculative execution,” essentially taking shortcuts at the chip level, slightly delaying verification checks to buy more clock speed. Meltdown and Spectre represent two approaches hackers can now take to manipulate speculative execution at the chip level and thereby gain access to any sensitive data residing a level above — in the operating system memory. …more

Q&A: What all companies should know about their exposure to ‘open-source’ vulnerabilities

By Byron V. Acohido

Hackers were able to ransack Equifax last year and steal personal data for some 144 million citizens by exploiting a vulnerability in an open source component, which the credit bureau failed to lock down.

Related article: Beware of open-source vulnerabilities lurking all through your network

The hackers leveraged a vulnerability in something called Apache Struts2, an open-source application framework that supports the credit bureau’s web portal. It is widely used by developers of Fortune 100 companies to build web applications.

It turns out that Apache Struts2 is widely deployed among small and mid-sized businesses, as well. LastWatchdog recently had a conversation with Rami Sass, CEO and co-founder of WhiteSource, a supplier of open source management systems. We …more

Q&A: How crypto jackers drain computing power from business networks

By Byron V. Acohido

Messaging security firm Proofpoint has been tracking botnet activity as closely as security vendor.  One recent development is the deployment of  botnets for hire, such as Necurs, towards illicit crypto mining, or crypto-jacking.

Related article: Crypto jacking spreading faster than ransomware

This silent stealing of corporate computing resources may seem somewhat benign compared to ransomware campaigns or Distributed Denial of Service attacks. In actuality, the harm is material, and this attack development is in a nascent stage.

Last Watchdog asked with Kevin Epstein, Proofpoint’s vice president of threat operations, to frame the impact for businesses.

LW: What precisely is the harm caused to my business, if several of my servers are corrupted and directed to cryto-mining?

…more

Q&A: What CyberX is doing to help address the hackable state of industrial control systems

By Byron V. Acohido

Finally, the profoundly hackable state of industrial control systems (ICS) is being elevated as an issue of substantive concern and beginning to get the level of global attention it deserves.

Nation-state backed hackers knocking out power grids and discombobulating other critical infrastructure – the cyber Pearl Harbor scenario – has been discussed for years in military and intelligence circles. However, skepticism and apathy have been the watchwords among the actual operators of industrial control systems.

Related article: Risking energy plant hacks signal cyber war activity

Discussions about better protecting these uniquely vulnerable specialized networks — now generally referred to as operational technology (OT) or industrial control systems — has historically taken a back seat to mainstream IT security issues, such as phishing, ransomware and denial of service attacks.

Fortuitously, that’s beginning to change. A series of disclosures this past year peeled back the curtain on the extent to which Russia, Iran and North Korea, in particular, have been proactively probing and infiltrating OT networks. On a parallel track, a handful of innovative startups have developed purpose-built platforms to address industrial and critical infrastructure security. …more

PODCAST: The case for rethinking security — starting with smarter management of privileged access logons

By Byron V. Acohido

Two cybersecurity trend lines have moved unremittingly up the same curve over the past two decades — and that’s not a good thing.

Year-in and year-out, organizations have steadily increased spending to defend their networks — and they continue to do so, with no end in sight. Research firm MarketsandMarkets estimates that the global cybersecurity market size will grow from $137.85 billion in 2017 to $231.94 billion by 2022, a compound annual growth rate of 11.0%.

Related podcast: Much stronger security can come from simple ‘Identity Access Management’ improvements

At the same time, the damage and disruption caused by malicious hackers has also continued to rise, with no end in sight. One recent measure of this comes from a survey of senior officials at 120 large enterprises, conducted by research firm Forrester and sponsored by Centrify, a leading supplier of identity and access management (IAM) technologies.

 

C-level executives disclosed to Forrester that two thirds of their companies had been breached multiple times –  a startling five times on average over the past two years. What’s more, respondents indicated these break-ins occurred evenly all across the network, at endpoints, servers, data bases and in software-as-a-service systems. …more

Q&A: Meet insurance underwriters newest obsession — vulnerability assessments

By Byron V. Acohido

From very early on, cyber criminals have been smart enough to focus their attention on vulnerabilities – the endless coding weak points arising from our increasing dependence on complex software and software-run systems.

Finally, the good guys are doing the same. One security vendor I recently spoke to — Risk Based Security – is among the innovative vendors involved in helping companies identify, assess and patch vulnerabilities.

Related article: Insurance giant Zurich partners with Deloitte cybersecurity

Obviously, a comprehensive understanding of the vulnerabilities your organization is exposed to, at any given time, is a vital layer of defense. What’s really interesting is that the insurance industry has come to recognize this, and has begun using vulnerability assessments as a key measure for qualifying companies looking to offset cyber risk via a cyber insurance policy.

Jake Kouns, CISO at Risk Based Security, walked me through the context of this emerging trend. Here are excerpts of our conversation, edited for clarity and length. For a deeper drill down, please listen to the accompanying podcast. …more

Q&A: How the ‘PKI ecosystem’ could be the answer to securing the Internet of Things

By Byron V. Acohido

Google is making a big push to compel website publishers to jettison HTTP and adopt HTTPS Transport Layer Security (TLS) as a de facto standard, and it’s expanding use of this important encryption technology.

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are the underpinnings of secure online transactions. They come into play in the form of digital certificates issued by Certificate Authorities (CAs) —  vendors that diligently verify the authenticity of websites, and then also help the website owners encrypt the information consumers type into web page forms.

This robust protection gets implemented by leveraging an encryption and authentication framework called the public key infrastructure (PKI.) This all happens in the blink of an eye when you visit …more